|
|
| Previous | Table of Contents | Next |
When an incoming connection is received on the telnet port with this configuration, the tn-gw application is started. When tn-gw receives a request, it first verifies that the requesting host is permitted to connect to the proxy. Access to the proxy is determined by the rules established in the netperm-table. These rules resemble those seen previously for the netacl application. However, there are application-specific parameters. The rule clauses for tn-gw are listed in table 6.3.
| Option | Description |
|---|---|
| userid user | Specifies a numeric user-id or the name of a password file entry. If this value is specified, tn-gw will set its user-id before providing service. |
| directory pathname | Specifies a directory to which tn-gw will chroot(2) prior to providing service. |
| prompt string | Specifies a prompt for tn-gw to use while it is in command mode. |
| denial-msg filename | Specifies the name of a file to display to the remote user if he or she is denied permission to use the proxy. If this option is not set, a default message is generated. |
| timeout seconds | Specifies the number of seconds of idleness after which the proxy should be disconnected. Default is no timeout. |
| welcome-msg filename | Specifies the name of a file to display as a welcome banner upon successful connection. If this option is not set, a default message is generated. |
| help-msg filename | Specifies the name of a file to display if the “help” command is issued. If this option is not set, a list of the internal commands is printed. |
| denydest-msg filename | Specifies the name of a file to display if a user attempts to connect to a remote server for which he or she is not authorized. If this option is not set, a default message is generated. |
| authserver hostname [portnumber [cipherkey]] | Specifies the name or address of a system to use for network authentication. If tn-gw is built with a compiled-in value for the server and port, these values will be used as defaults but can be overridden if specified in the authserver rule. If support for DES-encryption of traffic is present in the server, an optional cipherkey can be provided to secure communications with the server. |
| hosts host-pattern [host-pattern2…] [options] | Rules specify host and access permissions. |
The initial configuration for the tn-gw application is shown here.
tn-gw: denial-msg /usr/local/etc/tn-deny.txt tn-gw: welcome-msg /usr/local/etc/tn-welcome.txt tn-gw: help-msg /usr/local/etc/tn-help.txt tn-gw: timeout 3600 tn-gw: permit-hosts 204.191.3.* -dest *.fonorola.net -dest !* -passok - xok
Note: If any of the files identified in the denial-msg, welcome-msg, help-msg, or denydest-msg clauses are missing, the connection will be dropped as soon as a request is made for that file.
This configuration informs users when they are or are not allowed to connect to the proxy server, and when connections are denied due to their destination. The timeout line indicates how long the telnet connection can be idle before the firewall will terminate it. The last line establishes an access rule to the tn-gw application. This rule and the optional parameters are discussed shortly. A sample connection showing the host denial message is shown as follows:
$ telnet pc Connecting to pc … **** ATTENTION **** Your attempt to use this server’s telnet proxy is not permitted due to organizational security policies. Your connection attempt has been logged and recorded. Use of the telnet proxy Service on this machine is restricted to specific sites. If you believe that you are an authorized site, please contact Jon Smith at 555-1212 ext 502, or e-mail to ftpadmin@org.com. Connection closed by foreign host $
If the host is permitted to converse with the tn-gw application, tn-gw enters a command loop where it accepts commands to connect to remote hosts. The commands available within the tn-gw shell are listed in table 6.4.
| Command | Description |
|---|---|
| c[onnect] hostname [port] telnet hostname [port] open | Connects to a remote host. Access to the remote host may be denied based on a host destination rule. |
| x[-gw] [display/hostname] | This command invokes the X Windows gateway for a connection to the user’s display. By default, the display name is the connecting machine followed by :0.0, as in pc.myorg.com:0.0. The x-gw command is discussed later in this chapter. |
| help ? | Displays a user-definable help file. |
| quit exit close | Exits the gateway. |
When a permitted host connects to the proxy, it is greeted by the contents of the welcome file—configured in the tn-gw options—and by a prompt. At the prompt, tn-gw expects to receive one of the commands listed in table 6.4. When the connect request is made, the access rules are applied to the destination host to confirm that a connection to that host is permitted. If the connection is permitted, the connection is made. A successful connection is shown as follows:
Welcome to the URG Firewall Telnet Proxy
Supported commands are
c[onnect] hostname [port]
x-gw
help
exit
To report problems, please contact Network Security Services at 555-1212
or by e-mail at security@org.com
Enter Command>c sco.sco.com
Not permitted to connect to sco.sco.com
Enter Command>c nds.fonorola.net
Trying 204.191.124.252 port 23…
SunOS Unix (nds.fonorola.net)
login:
In this output you can see that a telnet connection is established to the firewall, from which the tn-gw application is started. The user first attempts to contact sco.sco.com, which is denied. A second connection request to nds.fonorola.net is then permitted. This sequence begs the question “what’s the difference?” The answer is that host destination rules are in force. This means that a given system may be blocked through options on the host command in the tn-gw rules.
| Previous | Table of Contents | Next |